Skip to navigation Skip to content Skip to subnav
Searching 2019-2020 Session

The Vermont Statutes Online

The statutes were updated in November, 2018, and contain all actions of the
2018 legislative session.

Title 9: Commerce and Trade

Chapter 062: PROTECTION OF PERSONAL INFORMATION

  • Subchapter 001: GENERAL PROVISIONS
  •  [Section 2430 effective until January 1, 2019; see also section 2430 effective January 1, 2019 . ]

    § 2430. Definitions

    The following definitions shall apply throughout this chapter unless otherwise required:

    (1) "Business" means a sole proprietorship, partnership, corporation, association, limited liability company, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent, affiliate, or subsidiary of a financial institution, but in no case shall it include the State, a State agency, or any political subdivision of the State.

    (2) "Consumer" means an individual residing in this State.

    (3) "Data collector" may include the State, State agencies, political subdivisions of the State, public and private universities, privately and publicly held corporations, limited liability companies, financial institutions, retail operators, and any other entity that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic personal information.

    (4) "Encryption" means use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.

    (5)(A) "Personally identifiable information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or protected by another method that renders them unreadable or unusable by unauthorized persons:

    (i) Social Security number;

    (ii) motor vehicle operator's license number or nondriver identification card number;

    (iii) financial account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords;

    (iv) account passwords or personal identification numbers or other access codes for a financial account.

    (B) "Personally identifiable information" does not mean publicly available information that is lawfully made available to the general public from federal, State, or local government records.

    (6) "Records" means any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.

    (7) "Redaction" means the rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number are accessible as part of the data.

    (8)(A) "Security breach" means unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information maintained by the data collector.

    (B) "Security breach" does not include good faith but unauthorized acquisition of personally identifiable information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personally identifiable information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.

    (C) In determining whether personally identifiable information has been acquired or is reasonably believed to have been acquired by a person without valid authorization, a data collector may consider the following factors, among others:

    (i) indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information;

    (ii) indications that the information has been downloaded or copied;

    (iii) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or

    (iv) that the information has been made public. (Added 2005, No. 162 (Adj. Sess.), § 1, eff. Jan. 1, 2007; amended 2011, No. 109 (Adj. Sess.), § 4, eff. May 8, 2012.)

  •  [Section 2430 effective January 1, 2019; see also section 2430 effective until January 1, 2019 .]

    § 2430. Definitions

    As used in this chapter:

    (1)(A) "Brokered personal information" means one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third parties:

    (i) name;

    (ii) address;

    (iii) date of birth;

    (iv) place of birth;

    (v) mother's maiden name;

    (vi) unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;

    (vii) name or address of a member of the consumer's immediate family or household;

    (viii) Social Security number or other government-issued identification number; or

    (ix) other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.

    (B) "Brokered personal information" does not include publicly available information to the extent that it is related to a consumer's business or profession.

    (2) "Business" means a commercial entity, including a sole proprietorship, partnership, corporation, association, limited liability company, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent, affiliate, or subsidiary of a financial institution, but does not include the State, a State agency, any political subdivision of the State, or a vendor acting solely on behalf of, and at the direction of, the State.

    (3) "Consumer" means an individual residing in this State.

    (4)(A) "Data broker" means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.

    (B) Examples of a direct relationship with a business include if the consumer is a past or present:

    (i) customer, client, subscriber, user, or registered user of the business's goods or services;

    (ii) employee, contractor, or agent of the business;

    (iii) investor in the business; or

    (iv) donor to the business.

    (C) The following activities conducted by a business, and the collection and sale or licensing of brokered personal information incidental to conducting these activities, do not qualify the business as a data broker:

    (i) developing or maintaining third-party e-commerce or application platforms;

    (ii) providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;

    (iii) providing publicly available information related to a consumer's business or profession; or

    (iv) providing publicly available information via real-time or near-real-time alert services for health or safety purposes.

    (D) The phrase "sells or licenses" does not include:

    (i) a one-time or occasional sale of assets of a business as part of a transfer of control of those assets that is not part of the ordinary conduct of the business; or

    (ii) a sale or license of data that is merely incidental to the business.

    (5)(A) "Data broker security breach" means an unauthorized acquisition or a reasonable belief of an unauthorized acquisition of more than one element of brokered personal information maintained by a data broker when the brokered personal information is not encrypted, redacted, or protected by another method that renders the information unreadable or unusable by an unauthorized person.

    (B) "Data broker security breach" does not include good faith but unauthorized acquisition of brokered personal information by an employee or agent of the data broker for a legitimate purpose of the data broker, provided that the brokered personal information is not used for a purpose unrelated to the data broker's business or subject to further unauthorized disclosure.

    (C) In determining whether brokered personal information has been acquired or is reasonably believed to have been acquired by a person without valid authorization, a data broker may consider the following factors, among others:

    (i) indications that the brokered personal information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing brokered personal information;

    (ii) indications that the brokered personal information has been downloaded or copied;

    (iii) indications that the brokered personal information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or

    (iv) that the brokered personal information has been made public.

    (6) "Data collector" means a person who, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with personally identifiable information, and includes the State, State agencies, political subdivisions of the State, public and private universities, privately and publicly held corporations, limited liability companies, financial institutions, and retail operators.

    (7) "Encryption" means use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.

    (8) "License" means a grant of access to, or distribution of, data by one person to another in exchange for consideration. A use of data for the sole benefit of the data provider, where the data provider maintains control over the use of the data, is not a license.

    (9)(A) "Personally identifiable information" means a consumer's first name or first initial and last name in combination with any one or more of the following digital data elements, when either the name or the data elements are not encrypted or redacted or protected by another method that renders them unreadable or unusable by unauthorized persons:

    (i) Social Security number;

    (ii) motor vehicle operator's license number or nondriver identification card number;

    (iii) financial account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords;

    (iv) account passwords or personal identification numbers or other access codes for a financial account.

    (B) "Personally identifiable information" does not mean publicly available information that is lawfully made available to the general public from federal, State, or local government records.

    (10) "Record" means any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.

    (11) "Redaction" means the rendering of data so that the data are unreadable or are truncated so that no more than the last four digits of the identification number are accessible as part of the data.

    (12)(A) "Security breach" means unauthorized acquisition of, electronic data or a reasonable belief of an unauthorized acquisition of, electronic data that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information maintained by a data collector.

    (B) "Security breach" does not include good faith but unauthorized acquisition of personally identifiable information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personally identifiable information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.

    (C) In determining whether personally identifiable information has been acquired or is reasonably believed to have been acquired by a person without valid authorization, a data collector may consider the following factors, among others:

    (i) indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information;

    (ii) indications that the information has been downloaded or copied;

    (iii) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or

    (iv) that the information has been made public. (Added 2005, No. 162 (Adj. Sess.), § 1, eff. Jan. 1, 2007; amended 2011, No. 109 (Adj. Sess.), § 4, eff. May 8, 2012; 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019.)

  •  [Section 2431 effective January 1, 2019.]

    § 2431. Acquisition of brokered personal information; prohibitions

    (a) Prohibited acquisition and use.

    (1) A person shall not acquire brokered personal information through fraudulent means.

    (2) A person shall not acquire or use brokered personal information for the purpose of:

    (A) stalking or harassing another person;

    (B) committing a fraud, including identity theft, financial fraud, or e-mail fraud; or

    (C) engaging in unlawful discrimination, including employment discrimination and housing discrimination.

    (b) Enforcement.

    (1) A person who violates a provision of this section commits an unfair and deceptive act in commerce in violation of section 2453 of this title.

    (2) The Attorney General has the same authority to adopt rules to implement the provisions of this section and to conduct civil investigations, enter into assurances of discontinuance, bring civil actions, and take other enforcement actions as provided under chapter 63, subchapter 1 of this title. (Added 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019.)


  • Subchapter 002: SECURITY BREACH NOTICE ACT
  • § 2435. Notice of security breaches

    (a) This section shall be known as the Security Breach Notice Act.

    (b) Notice of breach.

    (1) Except as set forth in subsection (d) of this section, any data collector that owns or licenses computerized personally identifiable information that includes personal information concerning a consumer shall notify the consumer that there has been a security breach following discovery or notification to the data collector of the breach. Notice of the security breach shall be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification, consistent with the legitimate needs of the law enforcement agency, as provided in subdivisions (3) and (4) of this subsection (b), or with any measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data system.

    (2) Any data collector that maintains or possesses computerized data containing personally identifiable information of a consumer that the data collector does not own or license or any data collector that acts or conducts business in Vermont that maintains or possesses records or data containing personally identifiable information that the data collector does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subdivisions (3) and (4) of this subsection (b).

    (3) A data collector or other entity subject to this subchapter shall provide notice of a breach to the Attorney General or to the Department of Financial Regulation, as applicable, as follows:

    (A) A data collector or other entity regulated by the Department of Financial Regulation under Title 8 or this title shall provide notice of a breach to the Department. All other data collectors or other entities subject to this subchapter shall provide notice of a breach to the Attorney General.

    (B)(i) The data collector shall notify the Attorney General or the Department, as applicable, of the date of the security breach and the date of discovery of the breach and shall provide a preliminary description of the breach within 14 business days, consistent with the legitimate needs of the law enforcement agency as provided in this subdivision (3) and subdivision (4) of this subsection (b), of the data collector's discovery of the security breach or when the data collector provides notice to consumers pursuant to this section, whichever is sooner.

    (ii) Notwithstanding subdivision (B)(i) of this subdivision (b)(3), a data collector who, prior to the date of the breach, on a form and in a manner prescribed by the Attorney General, had sworn in writing to the Attorney General that it maintains written policies and procedures to maintain the security of personally identifiable information and respond to a breach in a manner consistent with Vermont law shall notify the Attorney General of the date of the security breach and the date of discovery of the breach and shall provide a description of the breach prior to providing notice of the breach to consumers pursuant to subdivision (1) of this subsection (b).

    (iii) If the date of the breach is unknown at the time notice is sent to the Attorney General or to the Department, the data collector shall send the Attorney General or the Department the date of the breach as soon as it is known.

    (iv) Unless otherwise ordered by a court of this State for good cause shown, a notice provided under this subdivision (3)(B) shall not be disclosed to any person other than the Department, the authorized agent or representative of the Attorney General, a State's Attorney, or another law enforcement officer engaged in legitimate law enforcement activities without the consent of the data collector.

    (C)(i) When the data collector provides notice of the breach pursuant to subdivision (1) of this subsection (b), the data collector shall notify the Attorney General or the Department, as applicable, of the number of Vermont consumers affected, if known to the data collector, and shall provide a copy of the notice provided to consumers under subdivision (1) of this subsection (b).

    (ii) The data collector may send to the Attorney General or the Department, as applicable, a second copy of the consumer notice, from which is redacted the type of personally identifiable information that was subject to the breach, and which the Attorney General or the Department shall use for any public disclosure of the breach.

    (4)(A) The notice to a consumer required by this subsection shall be delayed upon request of a law enforcement agency. A law enforcement agency may request the delay if it believes that notification may impede a law enforcement investigation, or a national or Homeland Security investigation or jeopardize public safety or national or Homeland Security interests. In the event law enforcement makes the request for a delay in a manner other than in writing, the data collector shall document such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer's law enforcement agency engaged in the investigation. A law enforcement agency shall promptly notify the data collector in writing when the law enforcement agency no longer believes that notification may impede a law enforcement investigation, or a national or Homeland Security investigation or jeopardize public safety or national or Homeland Security interests. The data collector shall provide notice required by this section without unreasonable delay upon receipt of a written communication, which includes facsimile or electronic communication, from the law enforcement agency withdrawing its request for delay.

    (B) A Vermont law enforcement agency with a reasonable belief that a security breach has or may have occurred at a specific business shall notify the business in writing of its belief. The agency shall also notify the business that additional information on the security breach may need to be furnished to the Office of the Attorney General or the Department of Financial Regulation and shall include the website and telephone number for the Office and the Department in the notice required by this subdivision. Nothing in this subdivision shall alter the responsibilities of a data collector under this section or provide a cause of action against a law enforcement agency that fails, without bad faith, to provide the notice required by this subdivision.

    (5) The notice to a consumer shall be clear and conspicuous. The notice shall include a description of each of the following, if known to the data collector:

    (A) the incident in general terms;

    (B) the type of personally identifiable information that was subject to the security breach;

    (C) the general acts of the data collector to protect the personally identifiable information from further security breach;

    (D) a telephone number, toll-free if available, that the consumer may call for further information and assistance;

    (E) advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports; and

    (F) the approximate date of the security breach.

    (6) A data collector may provide notice of a security breach to a consumer by one or more of the following methods:

    (A) Direct notice, which may be by one of the following methods:

    (i) written notice mailed to the consumer's residence;

    (ii) electronic notice, for those consumers for whom the data collector has a valid e-mail address if:

    (I) the data collector's primary method of communication with the consumer is by electronic means, the electronic notice does not request or contain a hypertext link to a request that the consumer provide personal information, and the electronic notice conspicuously warns consumers not to provide personal information in response to electronic communications regarding security breaches; or

    (II) the notice is consistent with the provisions regarding electronic records and signatures for notices in 15 U.S.C. § 7001; or

    (iii) telephonic notice, provided that telephonic contact is made directly with each affected consumer and not through a prerecorded message.

    (B)(i) Substitute notice, if:

    (I) the data collector demonstrates that the cost of providing written or telephonic notice to affected consumers would exceed $5,000.00;

    (II) the class of affected consumers to be provided written or telephonic notice exceeds 5,000; or

    (III) the data collector does not have sufficient contact information.

    (ii) A data collector shall provide substitute notice by:

    (I) conspicuously posting the notice on the data collector's website if the data collector maintains one; and

    (II) notifying major statewide and regional media.

    (c) In the event a data collector provides notice to more than 1,000 consumers at one time pursuant to this section, the data collector shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice. This subsection shall not apply to a person who is licensed or registered under Title 8 by the Department of Financial Regulation.

    (d)(1) Notice of a security breach pursuant to subsection (b) of this section is not required if the data collector establishes that misuse of personal information is not reasonably possible and the data collector provides notice of the determination that the misuse of the personal information is not reasonably possible pursuant to the requirements of this subsection (d). If the data collector establishes that misuse of the personal information is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont Attorney General or to the Department of Financial Regulation in the event that the data collector is a person or entity licensed or registered with the Department under Title 8 or this title. The data collector may designate its notice and detailed explanation to the Vermont Attorney General or the Department of Financial Regulation as "trade secret" if the notice and detailed explanation meet the definition of trade secret contained in 1 V.S.A. § 317(c)(9).

    (2) If a data collector established that misuse of personal information was not reasonably possible under subdivision (1) of this subsection (d), and subsequently obtains facts indicating that misuse of the personal information has occurred or is occurring, the data collector shall provide notice of the security breach pursuant to subsection (b) of this section.

    (e) Any waiver of the provisions of this subchapter is contrary to public policy and is void and unenforceable.

    (f) Except as provided in subdivision (3) of this subsection (f), a financial institution that is subject to the following guidances, and any revisions, additions, or substitutions relating to an interagency guidance shall be exempt from this section:

    (1) The Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

    (2) Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, issued on April 14, 2005, by the National Credit Union Administration.

    (3) A financial institution regulated by the Department of Financial Regulation that is subject to subdivision (1) or (2) of this subsection (f) shall notify the Department as soon as possible after it becomes aware of an incident involving unauthorized access to or use of personally identifiable information.

    (g) Enforcement.

    (1) With respect to all data collectors and other entities subject to this subchapter, other than a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title, the Attorney General and State's Attorney shall have sole and full authority to investigate potential violations of this subchapter and to enforce, prosecute, obtain, and impose remedies for a violation of this subchapter or any rules or regulations made pursuant to this chapter as the Attorney General and State's Attorney have under chapter 63 of this title. The Attorney General may refer the matter to the State's Attorney in an appropriate case. The Superior Courts shall have jurisdiction over any enforcement matter brought by the Attorney General or a State's Attorney under this subsection.

    (2) With respect to a data collector that is a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title, the Department of Financial Regulation shall have the full authority to investigate potential violations of this subchapter and to prosecute, obtain, and impose remedies for a violation of this subchapter or any rules or regulations adopted pursuant to this subchapter, as the Department has under Title 8 or this title or any other applicable law or regulation.

    (h) [Repealed.]  (Added 2005, No. 162 (Adj. Sess.), § 1, eff. Jan. 1, 2007; amended 2011, No. 78 (Adj. Sess.), § 2, eff. April 2, 2012; 2011, No. 109 (Adj. Sess.), § 4, eff. May 8, 2012; 2013, No. 29, §§ 10, 11, eff. May 13, 2013; 2013, No. 199 (Adj. Sess.), § 67; 2015, No. 55, § 8.)


  • Subchapter 003: SOCIAL SECURITY NUMBER PROTECTION ACT
  • § 2440. Social Security number protection

    (a) This section shall be known as the Social Security Number Protection Act.

    (b) Except as provided in subsection (c) of this section, a business may not do any of the following:

    (1) intentionally communicate or otherwise make available to the general public an individual's Social Security number;

    (2) intentionally print or imbed an individual's Social Security number on any card required for the individual to access products or services provided by the person or entity;

    (3) require an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted;

    (4) require an individual to use his or her Social Security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the internet website;

    (5) print an individual's Social Security number on any materials that are mailed to the individual, unless State or federal law requires the Social Security number to be on the document to be mailed;

    (6) sell, lease, lend, trade, rent, or otherwise intentionally disclose an individual's Social Security number to a third party without written consent to the disclosure from the individual, when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's Social Security number.

    (c) Subsection (b) of this section shall not apply:

    (1) When a Social Security number is included in an application or in documents related to an enrollment process, or to establish, amend, or terminate an account, contract, or policy; or to confirm the accuracy of the Social Security number for the purpose of obtaining a credit report pursuant to 15 U.S.C. § 1681(b)(2). A Social Security number that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on an envelope without the envelope having been opened.

    (2) To the collection, use, or release of a Social Security number reasonably necessary for administrative purposes or internal verification.

    (3) To the opening of an account or the provision of or payment for a product or service authorized by an individual.

    (4) To the collection, use, or release of a Social Security number to investigate or prevent fraud; conduct background checks; conduct social or scientific research; collect a debt; obtain a credit report from or furnish data to a consumer reporting agency pursuant to the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.; undertake a permissible purpose enumerated under Gramm Leach Bliley, 12 C.F.R. § 216.13-15; or locate an individual who is missing, is a lost relative, or is due a benefit, such as a pension, insurance, or unclaimed property benefit.

    (5) To a business acting pursuant to a court order, warrant, subpoena, or when otherwise required by law, or in response to a facially valid discovery request pursuant to rules applicable to a court or administrative body that has jurisdiction over the disclosing entity.

    (6) To a business providing the Social Security number to a federal, State, or local government entity, including a law enforcement agency, the department of Public Safety, and a court, or their agents or assigns.

    (7) To a Social Security number that has been redacted.

    (8)(A) To a business that has used, prior to January 1, 2007, an individual's Social Security number in a manner inconsistent with subsection (b) of this section, which may continue using that individual's Social Security number in that manner on or after January 1, 2007, if all of the following conditions are met:

    (i) The use of the Social Security number is continuous. If the use is stopped for any reason, subsection (b) of this section shall apply.

    (ii) The individual is provided an annual disclosure that informs the individual that he or she has the right to stop the use of his or her Social Security number in a manner prohibited by subsection (b) of this section.

    (iii) A written request by an individual to stop the use of his or her Social Security number in a manner prohibited by subsection (b) of this section is implemented within 30 days of the receipt of the request. There shall not be a fee or charge for implementing the request.

    (iv) The person or entity does not deny services to an individual because the individual makes a written request pursuant to this subsection.

    (B) Nothing in this subdivision (8) is intended to apply to the collection, use, or dissemination of Social Security numbers collected prior to January 1, 2007 and exempted from the provisions of subsection (b) of this section pursuant to subdivisions (1) through (7) or (9) and (10) of this subsection.

    (9) To information obtained from a recorded document in the official records of the town clerk or municipality.

    (10) To information obtained from a document filed in the official records of the courts.

    (d) Except as provided in subsection (e) of this section, the State and any State agency, political subdivision of the State, an agent or employee of the State, a State agency, or a political subdivision of the State, may not do any of the following:

    (1) Collect a Social Security number from an individual unless authorized or required by law, State or federal regulation, or grant agreement to do so or unless the collection of the Social Security number or records containing the Social Security number is related to the performance of that agency's duties and responsibilities as prescribed by law.

    (2) Fail, when collecting a Social Security number from an individual in a hard copy format, to segregate that number on a separate page from the rest of the record, or as otherwise appropriate, in order that the Social Security number can be more easily redacted pursuant to a valid public records request.

    (3) Fail, when collecting a Social Security number from an individual, to provide, at the time of or prior to the actual collection of the Social Security number by that agency, that individual, upon request, with a statement of the purpose or purposes for which the Social Security number is being collected and used.

    (4) Use the Social Security number for any purpose other than the purpose set forth in the statement required under subdivision (3) of this subsection.

    (5) Intentionally communicate or otherwise make available to the general public a person's Social Security number.

    (6) Intentionally print or imbed an individual's Social Security number on any card required for the individual to access government services.

    (7) Require an individual to transmit the individual's Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted.

    (8) Require an individual to use the individual's Social Security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website.

    (9) Print an individual's Social Security number on any materials that are mailed to the individual, unless a State or federal law, regulation, or grant agreement requires that the Social Security number be on the document to be mailed. A Social Security number that is permitted to be mailed under this subdivision may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on an envelope, without the envelope having been opened.

    (e) Subsection (d) of this section does not apply to:

    (1) Social Security numbers disclosed to another governmental entity or its agents, employees, contractors, grantees, or grantors of a governmental entity if disclosure is necessary for the receiving entity to perform its duties and responsibilities. The receiving governmental entity and its agents, employees, and contractors shall maintain the confidential and exempt status of such numbers. As used in this subsection, "necessary" means reasonably needed to promote the efficient, accurate, or economical conduct of an entity's duties and responsibilities.

    (2) Social Security numbers disclosed pursuant to a court order, warrant, or subpoena, or in response to a facially valid discovery request pursuant to rules applicable to a court or administrative body that has jurisdiction over the disclosing entity.

    (3) Social Security numbers disclosed for public health purposes pursuant to and in compliance with requirements of the Department of Health under Title 18.

    (4) The collection, use, or release of a Social Security number reasonably necessary for administrative purposes or internal verification. Internal verification includes the sharing of information for internal verification between and among governmental entities and their agents, employees, contractors, grantees, and grantors.

    (5) Social Security numbers that have been redacted.

    (6)(A) A State agency or State political subdivision that has used, prior to January 1, 2007, an individual's Social Security number in a manner inconsistent with subsection (d) of this section, which may continue using that individual's Social Security number in that manner on or after January 1, 2007, if all of the following conditions are met:

    (i) The use of the Social Security number is continuous. If the use is stopped for any reason, subsection (d) of this section shall apply.

    (ii) The individual is provided an annual disclosure that informs the individual that he or she has the right to stop the use of his or her Social Security number in a manner prohibited by subsection (d) of this section.

    (iii) A written request by an individual to stop the use of his or her Social Security number in a manner prohibited by subsection (d) of this section is implemented within 30 days of the receipt of the request. There shall not be a fee or charge for implementing the request.

    (iv) The State agency or State political subdivision does not deny services to an individual because the individual makes a written request pursuant to this subdivision.

    (B) Nothing in this subdivision (e)(6) is intended to apply to the collection, use, or dissemination of Social Security numbers collected prior to January 1, 2007 and exempted from the provisions of subsection (d) of this section pursuant to subdivisions (1) through (5) or (7) through (11) of this subsection.

    (7) Certified copies of vital records issued by the Department of Health and other authorized officials pursuant to 18 V.S.A. part 6.

    (8) A recorded document in the official records of the town clerk or municipality.

    (9) A document filed in the official records of the courts.

    (10) The collection, use, or dissemination of Social Security numbers by law enforcement agencies and the Department of Public Safety in the execution of their duties and responsibilities.

    (11) The collection, use, or release of a Social Security number to investigate or prevent fraud; conduct background checks; conduct social or scientific research; collect a debt; obtain a credit report from or furnish data to a consumer reporting agency pursuant to the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; undertake a permissible purpose enumerated under Gramm Leach Bliley, 12 C.F.R. § 216.13-15; or locate an individual who is missing, is a lost relative, or is due a benefit, such as a pension, insurance, or unclaimed property benefit.

    (f) Any person has the right to request that a town clerk or clerk of court remove from an image or copy of an official record placed on a town's or court's Internet website available to the general public or an Internet website available to the general public to display public records by the town clerk or clerk of court, the person's Social Security number, employer taxpayer identification number, driver's license number, State identification number, passport number, checking account number, savings account number, credit card or debit card number, or personal identification number (PIN) code or passwords contained in that official record. A town clerk or clerk of court is authorized to redact the personal information identified in a request submitted under this section. The request must be made in writing, legibly signed by the requester, and delivered by mail, facsimile, or electronic transmission, or delivered in person to the town clerk or clerk of court. The request must specify the personal information to be redacted, information that identifies the document that contains the personal information and unique information that identifies the location within the document that contains the Social Security number, employer taxpayer identification number, driver's license number, State identification number, passport number, checking account number, savings account number, credit card number, or debit card number, or personal identification number (PIN) code or passwords to be redacted. The request for redaction shall be considered a public record with access restricted to the town clerk, the clerk of court, their staff, or upon order of the court. The town clerk or clerk of court shall have no duty to inquire beyond the written request to verify the identity of a person requesting redaction and shall have no duty to remove redaction for any reason upon subsequent request by an individual or by order of the court, if impossible to do so. No fee will be charged for the redaction pursuant to such request. Any person who requests a redaction without proper authority to do so shall be guilty of an infraction, punishable by a fine not to exceed $500.00 for each violation.

    (g) Enforcement.

    (1) With respect to businesses, the State, State agencies, political subdivisions of the State, and agents or employees of the State, a State agency, or a political subdivision of the State, subject to this subchapter, other than a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title, the Attorney General and State's Attorney shall have sole and full authority to investigate potential violations of this subchapter, to enforce, prosecute, obtain, and impose remedies for a violation of this subchapter, or any rules made pursuant to this subchapter, and to adopt rules under this subchapter, as the Attorney General and State's Attorney have under chapter 63 of this title. The Attorney General may refer the matter to the State's Attorney in an appropriate case. The Superior Courts shall have jurisdiction over any enforcement matter brought by the Attorney General or a State's Attorney under this subsection.

    (2) With respect to a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title, the Department shall have full authority to investigate potential violations of this subchapter, and to prosecute, obtain, and impose remedies for a violation of this subchapter or any rules adopted pursuant to this subchapter as the Department has under Title 8 or this title, or any other applicable law or regulation.

    (3) With respect to the information provided by the Vermont Department of Public Safety and law enforcement agencies, and any agent or employee thereof, to the Vermont Attorney General or State's Attorney pursuant to subdivision (1) of this subsection, the information provided or made available by the agency or Department to the Attorney General may be designated by the agency or Department as confidential, and shall not be released under the provisions of 1 V.S.A. § 317. (Added 2005, No. 162 (Adj. Sess.), § 1, eff. July 1, 2007; amended 2011, No. 78 (Adj. Sess.), § 2, eff. April 2, 2012.)


  • Subchapter 004: DOCUMENT SAFE DESTRUCTION ACT
  • § 2445. Safe destruction of documents containing personal information

    (a) As used in this section:

    (1) "Business" means sole proprietorship, partnership, corporation, association, limited liability company, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent, affiliate, or subsidiary of a financial institution, but in no case shall it include the State, a State agency, or any political subdivision of the State. The term includes an entity that destroys records.

    (2) "Customer" means an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.

    (3) "Personal information" means the following information that identifies, relates to, describes, or is capable of being associated with a particular individual: his or her signature, Social Security number, physical characteristics or description, passport number, driver's license or State identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information.

    (4)(A) "Record" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including in written or spoken words, graphically depicted, printed, or electromagnetically transmitted.

    (B) "Record" does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.

    (b) A business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means for the purpose of:

    (1) ensuring the security and confidentiality of customer personal information;

    (2) protecting against any anticipated threats or hazards to the security or integrity of customer personal information; and

    (3) protecting against unauthorized access to or use of customer personal information that could result in substantial harm or inconvenience to any customer.

    (c) An entity that is in the business of disposing of personal financial information that conducts business in Vermont or disposes of personal information of residents of Vermont must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information.

    (d) This section does not apply to any of the following:

    (1) Any bank, credit union, or financial institution as defined under the federal Gramm Leach Bliley law that is subject to the regulation of the Office of the Comptroller of the Currency, the Federal Reserve, the National Credit Union Administration, the Securities and Exchange Commission, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision of the U.S. Department of the Treasury, or the Department of Financial Regulation and is subject to the privacy and security provisions of the Gramm Leach Bliley Act, 15 U.S.C. § 6801 et seq.

    (2) Any health insurer or health care facility that is subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996.

    (3) Any consumer reporting agency that is subject to and in compliance with the Federal Credit Reporting Act, 15 U.S.C. § 1681 et seq., as amended.

    (e) Enforcement.

    (1) With respect to all businesses subject to this section, other than a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title, the Attorney General and State's Attorney shall have sole and full authority to investigate potential violations of this section, and to prosecute, obtain, and impose remedies for a violation of this section, or any rules adopted pursuant to this section, and to adopt rules under this act, as the Attorney General and State's Attorney have under chapter 63 of this title. The Superior Courts shall have jurisdiction over any enforcement matter brought by the Attorney General or a State's Attorney under this subsection.

    (2) With respect to a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title to do business in this State, the Department of Financial Regulation shall have full authority to investigate potential violations of this act, and to prosecute, obtain, and impose remedies for a violation of this act, or any rules or regulations made pursuant to this act, as the Department has under Title 8 and this title, or any other applicable law or regulation. (Added 2005, No. 162 (Adj. Sess.), § 1, eff. Jan. 1, 2007; amended 2011, No. 78 (Adj. Sess.), § 2, eff. April 2, 2012.)


  • Subchapter 005: DATA BROKERS
  •  [Section 2446 effective January 1, 2019.]

    § 2446. Annual registration

    (a) Annually, on or before January 31 following a year in which a person meets the definition of data broker as provided in section 2430 of this title, a data broker shall:

    (1) register with the Secretary of State;

    (2) pay a registration fee of $100.00; and

    (3) provide the following information:

    (A) the name and primary physical, e-mail, and Internet addresses of the data broker;

    (B) if the data broker permits a consumer to opt out of the data broker's collection of brokered personal information, opt out of its databases, or opt out of certain sales of data:

    (i) the method for requesting an opt-out;

    (ii) if the opt-out applies to only certain activities or sales, which ones; and

    (iii) whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer's behalf;

    (C) a statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;

    (D) a statement whether the data broker implements a purchaser credentialing process;

    (E) the number of data broker security breaches that the data broker has experienced during the prior year, and if known, the total number of consumers affected by the breaches;

    (F) where the data broker has actual knowledge that it possesses the brokered personal information of minors, a separate statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the brokered personal information of minors; and

    (G) any additional information or explanation the data broker chooses to provide concerning its data collection practices.

    (b) A data broker that fails to register pursuant to subsection (a) of this section is liable to the State for:

    (1) a civil penalty of $50.00 for each day, not to exceed a total of $10,000.00 for each year, it fails to register pursuant to this section;

    (2) an amount equal to the fees due under this section during the period it failed to register pursuant to this section; and

    (3) other penalties imposed by law.

    (c) The Attorney General may maintain an action in the Civil Division of the Superior Court to collect the penalties imposed in this section and to seek appropriate injunctive relief. (Added 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019.)

  •  [Section 2447 effective January 1, 2019.]

    § 2447. Data broker duty to protect information; standards; technical requirements

    (a) Duty to protect personally identifiable information.

    (1) A data broker shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:

    (A) the size, scope, and type of business of the data broker obligated to safeguard the personally identifiable information under such comprehensive information security program;

    (B) the amount of resources available to the data broker;

    (C) the amount of stored data; and

    (D) the need for security and confidentiality of personally identifiable information.

    (2) A data broker subject to this subsection shall adopt safeguards in the comprehensive security program that are consistent with the safeguards for protection of personally identifiable information and information of a similar character set forth in other State rules or federal regulations applicable to the data broker.

    (b) Information security program; minimum features. A comprehensive information security program shall at minimum have the following features:

    (1) designation of one or more employees to maintain the program;

    (2) identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personally identifiable information, and a process for evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including:

    (A) ongoing employee training, including training for temporary and contract employees;

    (B) employee compliance with policies and procedures; and

    (C) means for detecting and preventing security system failures;

    (3) security policies for employees relating to the storage, access, and transportation of records containing personally identifiable information outside business premises;

    (4) disciplinary measures for violations of the comprehensive information security program rules;

    (5) measures that prevent terminated employees from accessing records containing personally identifiable information;

    (6) supervision of service providers, by:

    (A) taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personally identifiable information consistent with applicable law; and

    (B) requiring third-party service providers by contract to implement and maintain appropriate security measures for personally identifiable information;

    (7) reasonable restrictions upon physical access to records containing personally identifiable information and storage of the records and data in locked facilities, storage areas, or containers;

    (8)(A) regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personally identifiable information; and

    (B) upgrading information safeguards as necessary to limit risks;

    (9) regular review of the scope of the security measures:

    (A) at least annually; or

    (B) whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personally identifiable information; and

    (10)(A) documentation of responsive actions taken in connection with any incident involving a breach of security; and

    (B) mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personally identifiable information.

    (c) Information security program; computer system security requirements. A comprehensive information security program required by this section shall at minimum, and to the extent technically feasible, have the following elements:

    (1) secure user authentication protocols, as follows:

    (A) an authentication protocol that has the following features:

    (i) control of user IDs and other identifiers;

    (ii) a reasonably secure method of assigning and selecting passwords or use of unique identifier technologies, such as biometrics or token devices;

    (iii) control of data security passwords to ensure that such passwords are kept in a location and format that do not compromise the security of the data they protect;

    (iv) restricting access to only active users and active user accounts; and

    (v) blocking access to user identification after multiple unsuccessful attempts to gain access; or

    (B) an authentication protocol that provides a higher level of security than the features specified in subdivision (A) of this subdivision (c)(1).

    (2) secure access control measures that:

    (A) restrict access to records and files containing personally identifiable information to those who need such information to perform their job duties; and

    (B) assign to each person with computer access unique identifications plus passwords, which are not vendor-supplied default passwords, that are reasonably designed to maintain the integrity of the security of the access controls or a protocol that provides a higher degree of security;

    (3) encryption of all transmitted records and files containing personally identifiable information that will travel across public networks and encryption of all data containing personally identifiable information to be transmitted wirelessly or a protocol that provides a higher degree of security;

    (4) reasonable monitoring of systems for unauthorized use of or access to personally identifiable information;

    (5) encryption of all personally identifiable information stored on laptops or other portable devices or a protocol that provides a higher degree of security;

    (6) for files containing personally identifiable information on a system that is connected to the Internet, reasonably up-to-date firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personally identifiable information or a protocol that provides a higher degree of security;

    (7) reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions and is set to receive the most current security updates on a regular basis or a protocol that provides a higher degree of security; and

    (8) education and training of employees on the proper use of the computer security system and the importance of personally identifiable information security.

    (d) Enforcement.

    (1) A person who violates a provision of this section commits an unfair and deceptive act in commerce in violation of section 2453 of this title.

    (2) The Attorney General has the same authority to adopt rules to implement the provisions of this chapter and to conduct civil investigations, enter into assurances of discontinuance, and bring civil actions as provided under chapter 63, subchapter 1 of this title. (Added 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019.)